Are Facebook sign-ins safe?

Have you ever tried to sign-up for a new website and been asked whether you want to “sign in with your Facebook login”? It’s obviously a very convenient option; you can join a website without the hassle of filling in all your personal information. But is this a safe option?

The short answer is no. Using your Facebook details to join various sites around the website can be dangerous to both you and your Facebook friends, and so it’s something you should be aware of when you’re asked how you want to join a website.

The difference between a normal login and a Facebook login

Traditional login forms only take the information you type into them. This is usually your name, email address, home address and contact number. And, because you’re only using this information in one place, you can make-up information for any fields that you don’t to fill in.

Facebook logins, however, can give away a lot more of your private information. According to Facebook’s current rules, any website can use Facebook logins and get access to your profile, your email address and a list of your Facebook friend’s without any oversight by Facebook.

If the website wants more information than that, such as what you’ve liked on the service, the website has to be submitted to Facebook for a review. If they are approved, they’ll be able to grab stuff like:

A field called “user_place_visits” which, you guessed it, gives away information regarding what places you regularly visit

Education history

User events (a list of events you’re visiting)

Events

Photos

Relationships

Religious / political affiliations

Videos

Your work history

It’s quite easy to see how a rogue website – or criminals who have hacked a legitimated website – could easily use this information to cause you trouble. Here are two scenarios where the above data could cause you problems:

Imagine you’ve “liked” your bank on Facebook. If a criminal knows the name of your bank and has your email address, they’ll be able to send you phishing emails that try to trick you into giving away your online banking login information.

Add in some location data and the emails could be even more convincing – “HSBC Paris: your bank account may be at risk” is a convincing email subject if you’re with HSBC and live in the capital of France.

Or imagine that a criminal has got access to your work history and your “user_place_visits” information. They’ll most likely be able to figure out your home address from the frequency of visits, and then contact your work to calculate when you’re in the office and not at home. The result? Potential break-ins.

What to do?

Even Facebook itself is aware of the problem, promising to add an “anonymous login” option for these websites within the next year.

Of course, we’re not saying all Facebook logins should be avoided. Just remember to read carefully what information the website is asking for, and whether you’re comfortable with that website having that information.

If you’re curious, you can check what Facebook information you’re giving away to website right now by heading to: https://www.facebook.com/settings?tab=applications&view